Extracted

• • Target

    60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f

  • Size

    2.2MB

  • MD5

    faa41e9bb60d2b1f71ccb77fcb3e27a7

  • SHA1

    a60d03db4eac4e3d5cacd9eabc286714bba6ef39

  • SHA256

    60b8de3f10b1dcbc38598e6d1d04ef201715d13b3ccfe26c60f9a6862f4e9f5f

  • SHA512

    acabd423e74cd5911f9675dc6f7765e337c8eec99f142ad47fe5ad241438779b4175705f7aaf82c5e12ce7ef8e54f08fb22ecb6317efca87231d692f1012b737

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZf:0UzeyQMS4DqodCnoe+iitjWwwD

  Score

  10^/10

  ponydiscoveryevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2